Financial institutions developing or reviewing their information
security controls, policies, procedures, or processes have a
variety of sources upon which to draw. First, federal laws
and regulations address security, and regulators have issued
numerous security related guidance documents.See Appendix B
for a listing of laws, regulations, and agency guidance. See
also the FFIEC IT Examination Handbook series of booklets, of which
this booklet is a part. Institutions also have a number of
third-party or security industry resources to draw upon for
guidance, including outside auditors, consulting firms, insurance
companies, and information security professional
organizations. In addition, many national and international
standard-setting organizations are working to define information
security standards and best practices for electronic
commerce. While no formal industry accepted security
standards exist, these various standards provide benchmarks that
both financial institutions and their regulators can draw upon for
the development of industry expectations and security
practices. Some standard-setting groups include the following
organizations:

The National Institute of Standards and Technology (NIST)
at www.nist.gov;

The International Organization for Standardization (ISO)
Information technology atwww.iso.ch with specific standards
such as
The code of practice for information security management (ISO/IEC
17799) and
Information technology-Security techniques-Evaluation criteria for
IT security (ISO/IEC 15408); and

The Information Systems Audit and Control Association
(ISACA)-Control Objectives for Information Technology (CobiT),
at www.isaca.org/cobit.htm.